Before You Begin

The Identity Provider and Service Provider should
be in installed in different domains. If this is not possible, they
should minimally use different cookie names or cookie domains.

You can defer the installation of OpenSSO Enterprise
policy agent for protecting the OpenSSO Enterprise Service Provider
until the end of the installation procedures. This gives you the opportunity
to verify that the SAML2 setup is working before you proceed.

After you unzip the OpenSSO Enterprise
binary, the SiteMinder custom authentication module is located under
the directory unzip-directory/integrations/siteminder/. The README.html provides steps for
building a custom authentication module. The following parameters
must be set to enable the SiteMinder SDK to connect to the SiteMinder
Policy Server:

SMCookieName:

SiteMinder cookie name. The default name is SMSESSION.

SharedSecret:

Unique policy agent configuration obtained from SiteMinder,
and used by OpenSSO Enterprise to point to the SiteMinder SDK .

PolicyServerIPAddress:

Indicates where the SiteMinder Policy Server is located.

CheckRemoteUserOnly:

This attribute should be enabled when the SiteMinder
Web Agent is installed on the same host as OpenSSO Enterprise. The
SiteMinder Web Agent performs session validation. When this attribute
is enabled, the rest of the configuration is not needed.

TrustedHostName:

Name of the SiteMinder SDK host name.

AccountPort

One of 3 TCP ports used by the SiteMinder Server to
connect to the SiteMinder SDK.

AuthenticationPort:

One of 3 TCP ports used by the SiteMinder Server to
connect to the SiteMinder SDK.

AuthorizationPort:

One of 3 TCP ports used by the SiteMinder Server to
connect to the SiteMinder SDK.

MinimumConnection:

In a connection pool implementation, the maximum number
of concurrent connections that a can be opened.

MaximumConnection:

In a connection pool implementation, the minimum number
of concurrent connections that a can be opened.

StepConnection:

In a connection pool implementation, the number of
concurrent connections that can be opened.

RequestTimeout:

Maximum time that the SiteMinder SDKwaits before it
connects to SiteMinder Policy Server.

RemoteUserHeaderName:

When configured, the SiteMinder Web Agent sets a header
name for the remote user after successful authentication. This parameter
is used only when the checkRemoteHeaderOnly flag
is set. The SMAuth module uses this parameter to
create an OpenSSO Enterprise session.

The following diagram shows an example of SiteMinder custom
authentication module configuration.

Install and configure OpenSSO Enterprise in the container
in which the Service Provider is installed.

For detailed
installation instructions, see the OpenSSO Enterprise Installation
and Configuration Guide.

Install the SiteMinder Web Agent in the OpenSSO Enterprise
container.

See the SiteMinder product documentation.

To Configure the Identity Provider OpenSSO
Enterprise to Use SAMLv2 Identity Provider Protocols

Before you can enable the SAMLv2 Identity Provider protocols,
you must generate, customize, and load each of the following:

Identity Provider metadata

Identity Provider extended metadata

Service Provider metadata

Service Provider extended metadata.

Before You Begin

Read through the following instructions for the changes
that you must make to the default metadata. The SAML2 samples contain
instructions on how to setup SAML2.

You must import Identity Provider metadata and Identity
Provider extended metadata as hosted metadata. You must import Service
Provider metadata and Service Provider extended metadata as remote
entity metadata. To change a configuration from the default hosted to remote, modify the extended metadata
XML element <EntityConfig>. Change the default
attribute hosted=true to hosted=false.

See the OpenSSO Enterprise product documentation for
commands and syntax.

Generate the metadata templates in both Identity Provider
and Service Provider environments.

Use thefamadm command.
You can also use the browser-based interface at the following URL:

The Identity Provider extended metadata should
be added as an attribute named AuthUrl. This URL
attribute is used by the SAML protocols to redirect for authentication
purposes. In the following example, AuthUrlredirects
to the SiteMinder authentication module.

Another option is to make the SiteMinder custom authentication
module the default login module in OpenSSO Enterprise. The cost of
using this option is that you must specify an LDAP login module for
logging in as an administrator.

The Service Provider extended metadata uses the attribute named transientUser. Set this value to your anonymous user: